1. Definitions

Capitalized terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, the California Consumer Privacy Act / CPRA, and India's Digital Personal Data Protection Act, 2023 (DPDPA), as applicable. "Customer" means the wedding host, planner, or other admin who controls a Phera account. "Personal Data" means data the Customer or their guests upload that identifies, relates to, or could reasonably be linked to an individual. "Processing" has the meaning given in the GDPR.

2. Roles

For Personal Data uploaded to or generated through the Service about the Customer's guests, vendors, or other third parties, the Customer is the Controller (or DPDPA "Data Fiduciary") and Phera is the Processor (DPDPA "Data Processor"). Phera will Process Personal Data only on documented instructions from the Customer (which include the Customer's use of the Service and these Terms).

3. Scope & Subject Matter

• Subject matter: Provision of the Phera Service.
• Duration: For as long as the Customer uses the Service plus the retention periods described in Section 8 of the Privacy Policy.
• Nature and purpose: Hosting, transmission, storage, AI processing, messaging, and analytics necessary to operate the Service.
• Categories of Data Subjects: Wedding guests, vendors, and other contacts entered into the Service by the Customer.
• Categories of Personal Data: Names, contact details (phone, email), RSVP responses, dietary and accessibility info, travel and accommodation data, passport-name spelling, visa status, emergency contacts, language preference, photo and audio uploads, message content.

4. Phera's Obligations

Phera will:

• Process Personal Data only as necessary to provide the Service and on the Customer's documented instructions, except where required by law (and notify the Customer of any such legal requirement before Processing, unless prohibited);
• Implement and maintain the technical and organizational security measures described in Section 9 of the Privacy Policy and in Schedule A below;
• Ensure that personnel authorized to Process Personal Data are subject to confidentiality obligations;
• Assist the Customer in fulfilling its obligations to respond to Data Subject requests, perform Data Protection Impact Assessments, and consult with supervisory authorities;
• Notify the Customer without undue delay (and within 72 hours) on becoming aware of a Personal Data Breach affecting the Customer's Personal Data, providing the information required by GDPR Article 33(3) / DPDPA Section 8(6);
• On termination, delete or return all Personal Data per the retention schedule in the Privacy Policy or sooner upon the Customer's written request, unless retention is required by law.

5. Customer Obligations

Customer:

• Has and will maintain a lawful basis to Process the Personal Data it provides to Phera under all applicable laws (consent, contract, legitimate interests, etc.);
• Has provided notice to Data Subjects as required by law, including notice that Phera will message guests on WhatsApp on the Customer's behalf;
• Will respond to Data Subject requests it receives directly, with Phera's assistance under Section 4;
• Will not upload Special Categories of Personal Data (GDPR Art. 9) unless reasonably necessary for wedding logistics (e.g. dietary, accessibility);
• Will configure Phera and use it in compliance with applicable law.

6. Sub-Processors

The Customer authorizes Phera to engage the Sub-Processors listed at /legal/sub-processors. Phera will provide at least 30 days' notice before adding or replacing a Sub-Processor (by updating the page above and, on request, by email). The Customer may object on reasonable data-protection grounds within that period; if Phera cannot accommodate the objection, the Customer may terminate the Service for that wedding and receive a pro-rata refund of pre-paid fees for the unused term.

Phera enters into a written agreement with each Sub-Processor that imposes data-protection obligations no less protective than those in this DPA, and remains liable for the performance of each Sub-Processor.

7. International Transfers

Where Phera transfers Personal Data from the EEA, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the EU Standard Contractual Clauses (Decision 2021/914) and, where applicable, the UK International Data Transfer Addendum, are incorporated into this DPA by reference. The Customer is the "data exporter," and Phera is the "data importer." Module 2 (Controller-to-Processor) applies to the Customer's direct relationship with Phera; Module 3 (Processor-to-Processor) applies between Phera and its Sub-Processors. For transfers from India, Phera complies with DPDPA Section 16 and any restrictions notified by the Central Government from time to time.

8. Audits

Phera will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including by providing summaries of recent third-party audits and answering reasonable security questionnaires once per twelve-month period (and more frequently following a confirmed Personal Data Breach). On-site audits are by appointment, are subject to confidentiality, and are at the Customer's expense.

9. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Phera Terms of Service, including the cap in Section 17 of those Terms.

10. Order of Precedence

In case of conflict between this DPA and the Terms of Service, this DPA prevails to the extent of the conflict and only with respect to the Processing of Personal Data.

Schedule A — Security Measures

• TLS 1.2+ in transit; AES-256 encryption at rest for the Postgres database and object storage;
• Row-Level Security in Postgres scoped per wedding;
• Secrets stored in environment-variable vaults; rotation on personnel changes;
• MFA required on all administrator accounts; principle of least privilege;
• Real-time error monitoring (Sentry) with PII scrubbing;
• 30-day rolling backups, encrypted and access-controlled;
• Quarterly internal security review; annual third-party penetration test (planned);
• Documented incident-response plan with 72-hour breach-notification commitment.

Contact

Questions about this DPA: privacy@phera.io.